HTTPS

It's good practice to always use SSL encryption when serving websites. How to do so will depend on the webserver class you're using.

puppetlabs/apache

Set up two vhosts. One will listen on port 80 for unencrypted connections, then redirect them to a HTTPS version, the other will serve the actual content on port 443.

  apache::vhost {"${::hostname}-redirect":
    servername      => $::fqdn,
    port            => '80',
    redirect_status => 'permanent',
    redirect_dest   => "https://${::fqdn}/",
    docroot         => '/var/www/null', # Make sure no files are visible on port 80
  }
  apache::vhost {"${::hostname}-ssl":
    servername      => $::fqdn,
    port            => '443',
    ssl             => true,
    custom_fragment => template('roles/webserver/apache-config.erb'),
    docroot         => '/var/www/html',
  }

Apache will set up an unsigned SSL certificate by default that you can use for testing, user-facing sites should use a signed certificate (email NCI to arrange this)